Security is an important issue in modern computer networks. Correctly identifying potential viruses and suspicious activities is an important aspect of host and network security. Some intrusion detection programs use signatures to identify viruses or attacks. However, such an approach is inadequate before the signatures become available. Some existing intrusion detection programs provide security protection by observing traffic patterns on the network to learn normal system behavior, and by detecting activities that have not occurred previously. Some advanced Host based security systems offer protection by detecting variations to normal system behavior. Such activities are generally deemed to be potential attacks and may be identified and/or prevented.
A typical intrusion detection program monitors system activities and learns about normal run-time behavior of the system after it is installed. Information about the normal activities of the system, such as which applications may open network connections, etc., is typically gathered by observing network traffic. The program usually spends a significant amount of time learning about the behaviors before it begins to offer protection. If a patch or system upgrade is applied, the program usually will relearn the dynamic, run-time behavior of the system. After the relearning phase is completed, the program starts to offer protection again.
While it is useful to provide security protection based on known system behavior using methods described above, several problems remain. Existing intrusion detection programs typically have long learning and relearning cycles and generally do not provide protection during these periods, thus leaving the system vulnerable to attack. Also, existing programs are typically implemented using large configuration lists to track system behavior and tend to be resource intensive. Furthermore, these existing programs usually do not offer sufficient insight into the risks to which the system is vulnerable. It would be desirable to have a way to offer intrusion detection and protection without requiring extensive learning periods. It would also be useful if such a technique could be efficiently implemented and would provide better risk information.